From 893d4131b21ed169e192052658f60762644b7539 Mon Sep 17 00:00:00 2001
From: Conor Patrick <conorpp94@gmail.com>
Date: Tue, 26 Mar 2019 19:00:12 -0400
Subject: [PATCH] change how pin is enforced for GA

---
 fido2/ctap.c | 17 ++++++++---------
 1 file changed, 8 insertions(+), 9 deletions(-)

diff --git a/fido2/ctap.c b/fido2/ctap.c
index bebc9ab..a93fb66 100644
--- a/fido2/ctap.c
+++ b/fido2/ctap.c
@@ -1105,19 +1105,15 @@ uint8_t ctap_get_assertion(CborEncoder * encoder, uint8_t * request, int length)
         return ret;
     }
 
-    if (ctap_is_pin_set() && GA.pinAuthPresent == 0)
+    if (GA.pinAuthPresent)
     {
-        printf2(TAG_ERR,"pinAuth is required\n");
-        return CTAP2_ERR_PIN_REQUIRED;
+        ret = verify_pin_auth(GA.pinAuth, GA.clientDataHash);
+        check_retr(ret);
+        getAssertionState.user_verified = 1;
     }
     else
     {
-        if (ctap_is_pin_set() || (GA.pinAuthPresent))
-        {
-            ret = verify_pin_auth(GA.pinAuth, GA.clientDataHash);
-            check_retr(ret);
-            getAssertionState.user_verified = 1;
-        }
+        getAssertionState.user_verified = 0;
     }
 
     if (!GA.rp.size || !GA.clientDataHashPresent)
@@ -1198,6 +1194,9 @@ uint8_t ctap_get_assertion(CborEncoder * encoder, uint8_t * request, int length)
         ret = ctap_make_auth_data(&GA.rp, &map, auth_data_buf, &len, NULL);
         check_retr(ret);
 
+        ((CTAP_authData *)auth_data_buf)->head.flags &= ~(1 << 2);
+        ((CTAP_authData *)auth_data_buf)->head.flags |= (getAssertionState.user_verified << 2);
+        
         {
             unsigned int ext_encoder_buf_size = sizeof(auth_data_buf) - len;
             uint8_t * ext_encoder_buf = auth_data_buf + len;